Security professionals tend to hold ourselves to impossible standards, demoralizing ourselves and negatively impacting our work. There are logical reasons for this that we need to recognize, because our work is meaningful (even if we never score a book deal).
If you had to guess, what do you suppose is the most commonly heard concern voiced by security professionals on social media? Lack of funding? Insufficient political backing? Interdepartmental politics? Those would all make sense – and they are discussed online, often passionately – however none of them is the number one source of unease. From my vantage point, most security pros are concerned about being taken seriously. Not because of hostility, discrimination, or petty politics … but because of paralyzing self-doubt.
There are two factors in play here that should help this make sense. First, there’s Imposter Syndrome. First recognized in the late 1970s, this is the belief that your success is due more to luck than actual competence or proficiency. It manifests as dread that your colleagues (or customers, superiors, etc.) will discover that you’re not nearly as capable as you seem to be; that you’ll be exposed as a fraud. Given how much security work involves educated hunches, trial-and-error, and luck, it’s perfectly reasonable for everyone in the field to feel inadequate from time to time. We’re not perfectly-rational experts who fully understand our staggeringly complex information environments; we’re people doing the best we can despite inadequate situational awareness, rapidly-shifting conditions, and intelligent adversaries who are determined to make our jobs as difficult as possible.
The second factor dovetails into and reinforces the first: the Dunning-Kruger Effect. First published at the end of the 20thcentury, this is the cognitive bias that causes people to over- or under-estimate their ability in a given field. Paraphrased, the less you know about a field, the more proficient you mistakenly believe they are. Conversely, the more you know, the more you appreciate how much you don’t know, and thereby underestimate how proficient you are. In pop culture, this is source of arrogance that allows a new college graduate with zero experience to strut into a team meeting and expect to be treated as a peer by engineers and leaders with decades of practical experience. ironically, it’s also the effect that causes the most experienced people on a team to self-censor because they suspect that they don’t know enough about a highly-complex problem to adequately contribute.
My observations tend to align with the original premise of Dr. Clance and Dr. Ines, the authors of the original study, who thought that ‘Imposter Phenomenon’ affected more professional women than it did men. I’ve known a lot of women working in security who seemed to undervalue their own talents and contributions even though they were often the smartest and most savvy person at the table.
These two factors plague security professionals. I see and hear manifestations of this on a weekly basis from people who are so far beyond my proficiency level that I can barely keep up with the gist of their technical explanations. This causes brilliant people to act self-deprecating to a fault. Many experts are anxious about their futures, afraid of being ‘outed’ as less technically savvy than they feel they really are. It’s heartbreaking to watch. It’s also completely understandable.
I’ve talked with several friends and colleagues about this, but I don’t feel comfortable sharing their perspectives. Instead, I’ll hold myself up to ridicule. That’s always safe.
Before the current pandemic measures kicked in, I was introduced to a friend-of-a-friend at a social outing. During the usual get-to-know-you part of the evening, my new acquaintance asked me what I did professionally. I gave my title and explained a bit about the security awareness field to provide them some context. I mentioned in passing that I’m a writer. They seemed interested and asked what-all I’d published.
I started by describing my original weekly column on Business Technology, then explained how that had split into columns here on Business Reporter and some over on The European Information Security Summit’s site. All told, with 137 columns on BT, 240 (to date) on BR, and 42 on TEISS, that worked out to 419 pieces of public evidence to corroborate my claim. My companion airily dismissed my ‘evidence’ out of hand. That’s just ‘blogging, they said. Anyone can do that. Doesn’t require any talent. Real writers publish!
… AND always seem to have their own branded podcast AND get paid to lecture AND do celebrity book signings AND get invited to be a talking head on the major news programmes AND … It’s like an all-inclusive celebrity author package.
Taken aback, I added that I’d published 33 articles under my own byline in the print edition of the BT and BR brands that shipped with the Sunday Telegraph. I’d also written columns for 5 of the digital magazine editions. Did that count? Was it in an American paper? No? Then nah. Doesn’t count.
I couldn’t tell if they were winding me up, so I asked them to pull out their phone and search for my name on Amazon.That’s seven Kindle books, I said, three (soon to be four) of which are available as audiobook format as well. They looked … then said Anyone can publish digital content. If you weren’t published by an established and respected publisher then it’s all just vanity press. Might as well be fan-fic.
I realized at this point they my companion was deliberately winding me up. I told them where I planned to deposit the thicker of the two print editions of my books and how that might disrupt their internal anatomy. They laughed, clapped me on the shoulder, and bought the next round. The trouble was … even though I knew they were joking … I kind of agreed with them.
I try to pay attention to the key players in the security awareness field. I see what they’ve accomplished, and feel convicted that I don’t – and will never – measure up to the standard they’ve set. Perry Carpenter, the Chief Evangelist and Strategy Officer for security awareness vendor KnowBe4 for example, recently published a hugely popular book called Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. It’s great. I pre-ordered it, devoured it, and bought copies for my friends. It’s good stuff. Stuff that – for the most part – I already knew from working in the field, but good all the same.
You pick up an awful lot of theory and best-practices working in the trenches.
When I compare Perry’s new book to any of mine, though, I see the differences in stark contrast. Perry’s was printed by an established and respected publishing company; mine weren’t. Perry’s has a professionally-designed cover; mine were all hacked together with amateur equipment and an iPhone. Perry clearly had editor and proofreaders; mine obviously don’t, which is why I have to regularly re-upload minor corrections for all the goof that slipped through during my late night after-work reviews. Perry’s reputation and community influence no-doubt helped him sell thousands of copies; my short monograph on hiring security awareness people sold exactly one copy … that I bought for the tech recruiter that I wrote the entire booklet for. Given the evidence, Perry’s a capital-A Author whereas I’m a common hack. Happy as I am for him for his success (and I do like the fellow) I’m often frustrated that I’ll never achieve anything like it.
Put another way, could I tell people that I’m ‘a writer’? Sure. Just having a work available on Amazon is enough to qualify in some people’s eyes. Just not mine. I can see the difference between Perry’s success as a writer (and the respect that it grants him within our industry niche) and my own. It’s an unbridgeable gap. Nothing for it.
Except … while that might be the gospel from an emotional perspective, intellectually I appreciate that it’s not entirely true. If you write, you’re a writer. If you’ve published something, you’re an author. You might not be a good one, but you qualify. You might not be a commercially successful writer, but that doesn’t mean your efforts were wasted. As mentioned above, I wrote my 75-page Kindle guide for only three people: a recruiter friend of mine, his client who needed to hire their first security awareness person, and whoever he found that was qualified to do the client’s work. That project was never going to come out in hardback or reach the NY Times bestseller list. It was just a practical tool to solve a specific, localized, one-time problem.
Getting back to our community at large, that’s a lesson that we all need to wrap our heads around. We’re security people. All of us. Some luminaries in our field are more famous, more desirable, and more economically successful than most of us … and that’s normal. We can’t all be rock star celebrities with book deals, Instagram fame, and household name recognition. Bill Gates still gets invited to give tech convention keynote addresses; the rest of us will never be considered, let alone asked.
For every rock star entertaining their entourage at swanky nightclubs, there’s an army of anonymous grunts manning the proverbial castle walls all through the night to keep everyone’s data safe.
We all do, however, make a positive difference within our organisations and specialist communities. We solve complicated problems and deliver solutions. Sometimes we get listened to. Then we go home with a pay cheque. Our work is rarely glamourous, but it’s always necessary and sometimes appreciated. The tens of thousands of us out there fighting the good fight every day in the cubicle farms, data centres, and conference rooms help keep our employers afloat and our colleagues employed. That counts.
We can’t let the one-two punch of Imposter Syndrome and Dunning Kruger demoralize us into giving up the fight. There’s too much to do and not enough of us to get it all done. We’re all doing the best we can under the circumstances and most of that time that’s good enough. We’re needed, so we serve to the best of our ability with the resources we have, and we get the job done.
Pop Culture Allusion: None this week
POC is Keil Hubert, email@example.com
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.